Recent Posts

Cyber threats to financial institutions, electric utilities, broadband providers, government agencies, Hollywood studios and even emerging Web-connected household appliances get a lot of ink. But one major potential threat vector, television and radio broadcasting, doesn't conjure up the kind of concerns that these other avenues of cyber intrusion do.

That's changing, though, in the wake of a major cyber attack that took place last April when French broadcaster TV5Monde was hijacked, with eleven of its channels going dark and its social media outlets commandeered to display pro-ISIS messages. Although a group called the CyberCaliphate claimed credit for the damaging breach, the French government has lately cast some blame on Russian hackers who, the government suggests, was using the CyberCaliphate as a false flag.

Whatever the case may be, the TV5Monde attack was a wake-up call to the broadcasting sector that it too is vulnerable to the kinds of disruptive cyber intrusions and attacks that affect other critical aspects of society. That's why top broadcasting publication TVNewsCheck and I have joined hands to offer the first of its kind webinar, "Cybersecurity for Broadcasters: Ten Steps You Need to Take Right Now," aimed at helping broadcasters come up to speed on how to protect their assets from unwanted and potentially damaging cyber intrusions and how to become more resilient in the face of what will undoubtedly be more future cyber attacks.

Slated for July 22 from 2 pm to 3:30, the webinar features a top line-up of experts (with more to come) including:

For more background on the array of cybersecurity concerns that broadcasters face, check out the piece I wrote for TVNewsCheck that I hope lays it all out fairly well and stayed tuned for more information as we update the speaker line-up. If you have any thoughts or questions, drop me an email. (As a personal aside, it's been nice to bring my two areas of professional experience, communications media and cybersecurity, together in an interesting project, something I hope to continue to explore).

And don't forget to check out Metacurity.com, a continuously updated source of cybersecurity intelligence and news aimed at solving the info-overload that increasingly bedevils most infosec professionals.

Last week I posted an analysis of how often various publications appeared during the first six weeks or so of active tracking on Metacurity, our new continuously updated resource on cybersecurity news and information. (For more on Metacurity and how we're selecting which articles and blog posts make the cut, see this post).

Now we turn to the actual journalists, bloggers, pundits and others who actually write the posts. As the table below shows, 128 writers appeared more than once in approximately 1,220 posts from March 29 through mid-day on May 6 (links are to the writers' Twitter profiles, where they could be found).

Topping the list is Darren Pauli from The Register, not a surprise given that The Register also topped our list of publications, focused as it is on the nitty-gritty of IT technology. In fact, the vast majority of writers who top the list below are focused almost exclusively on matters related to information security -- again no surprise.

A word of caution though: quantity does not necessarily equal quality. Many of the top writers working in the field appear lower down on the list presumably because they are not pressured to fill the hole each day and are given some latitude to spend time on bigger pieces or on related beats, such as privacy and national security.

In addition, some excellent writers are working for publications that put content behind paywalls and are not reflected here (Politico is the exception because some Politico pieces are available without paid subscriptions).

I was surprised at the amount of feedback I received on the first post detailing the publications by the numbers and welcome again feedback on this list. As Metacurity evolves we will be adding additional publications, bloggers and sources and new features that make the site a more dynamic resource for cybersecurity news and information. Give us your feedback on the sources we rely upon and what additional information we should be incorporating into our system.

(Update: Astute reader and topic maps (semantic integration) maven Patrick Durusau pointed out to me that I had the New York Times listed twice in an earlier version of this list, once as The New York Times and once as simply New York Times. The new list corrects this glitch. Not only that but he also pointed out that National Journal and NextGov are different publications, which they indeed are. But because NextGov publishes so many National Journal pieces, I'm not 100% certain from the data alone which came from which, so I merged the two. He also kindly went out of his way to put hyperlinks to the relevant publications in my table!)

Starting on March 29, I began to systematically sift through voluminous news articles, blog posts and other sources to pick the most relevant, timely and knowledgeable items on cybersecurity matters to post on Metacurity.com. (See previous post for an introduction to Metacurity and an explanation of the criteria used for selection.) From that date through mid-day on May 6, Metacurity featured 1,220 posts from across well over 100 different publications, mostly traditional consumer interest and trade publications, as well as specialized blogs.

In an effort to better improve the selection and publication process, we’re currently analyzing the data to develop better filters and formulas. One slice of interesting information is the frequency with which various publications appear across the still-nascent data set – obviously over time the data will change as the database gets bigger, more sources are added and newsworthy developments shift.

*Technically a corporate blog by Kaspersky but features many newsworthy, journalistic-type posts.

**Technically a corporate blog by Google but important because of the nature of the posts.

***Recent resource added.

Of the sources published, 57 or 58 publications (I merged National Journal and NextGov) received two or more posts, excluding posts from vendor blogs. Of these 57 or 58 sources, The Register grabbed more of the screen time than any other publication, no surprise given its focus on the nitty-gritty reality of IT technology. Likewise, all but one of the other top ten resources have as their main focus information security, IT technology or other specialized subjects where cybersecurity is a main concern.

The appearance of inside-politics publications such as the National Journal (which cross-publishes with NextGov) and The Hill is likewise no surprise given the ascendancy of cybersecurity in Washington and the pendency of cybersecurity legislation. A good deal of excellent coverage of Washington-related cybersecurity matters appears in paid-access-only publications such as Politico, which launched last year its own cybersecurity publication and makes some articles available outside its paywall. Paid-access publications don’t appear on Metacurity because, well, that would be too frustrating for casual visitors. This may change over time.

For now, this list is interesting but definitely subject to change as time moves on, as more publications beef up their cybersecurity beats and as we refine our methods for pinpointing the best sources and items of information.

Stay tuned and please talk to us. Tell us what resources we're missing that you rely on and what additional types of information you'd like to see in the mix.

It’s been a long time since I blogged here – about a half a year actually. In that time I’ve been working on various projects that pushed blogging to the back seat. One of those projects was to redesign this blog into a more professional look and integrate the blog into a redesigned corporate website, with a common look-and-feel.

Along the way, I decided to incorporate into the new integrated sites a “news feed” that addresses a problem plaguing the digital and network security sector: information overload. Fairly soon, that redesign project took a back seat to figuring out how to sift through the escalating number of news stories, journal articles and other sources of cybersecurity information and present it in a way that is the most helpful to overworked cybersecurity practitioners and other professionals interested in the subject.

For at least the past five months I’ve increasingly focused on that challenge to the point that it’s almost become a more than full-time job. The result of that work is a stand-alone website, Metacurity. Relying on over fifty (and growing) standard sources of cybersecurity news, plus dozens of other sources, Metacurity is an evolving site that presents sifted, breaking and other news in a clean, easy-to-scan format.

I’ve worked out a system for selecting the most timely, useful and relevant articles, blog posts, and other sources and publishing them in summary form, with links directly back to the sources themselves. Although still wholly subjective and imperfect, I use a rough set of criteria for what gets published. These criteria generally are:

Timeliness: Although articles that break news aren’t necessarily always the most informative or best, being first does matter, if for no other reason than it shapes the conversation.

Level of Skill: Well-written articles and posts that do justice to the subject catch more attention. Articles that are nothing more than a couple of paragraphs, gloss over or fail to point out important distinctions or are extremely late to the game don’t appear that frequently.

Originality: A related criteria is originality. Items that are typically rewrites of press releases or rewrites of major news stories with very little additional reporting or analyses are low on the priority list.

Pure-Play: The topic of cybersecurity overlaps with so many other topics – privacy, cloud computing, national security, criminal justice, diplomacy and other major concerns. It’s difficult to parse out articles, reports, blog posts and studies that are solely focused on how to maintain secure reliable networks. But, those articles that do deal mostly or exclusively with cybersecurity get higher priority.

Impact: Some “scoops” have major impact on discussions surrounding cybersecurity. Some headline-breaking articles in the cybersecurity arena do not necessarily hold up under further analysis but nonetheless create a stir. Although rare, these kinds of reports are higher on the priority list.

In the middle of the site, or further down the screen on mobile devices, appear blog posts produced by cybersecurity vendors labeled as “Corporate Posts.” These items are useful and often news-making posts produced by the dozens of vendors in the IT and information security arena. (Although the Corporate Posts are selected based on editorial judgment, we are offering vendors the opportunity to spotlight their posts at the top of this section via sponsorships. We are also offering companies the ability to promote their employment opportunities and conference organizers to promote their events via highlighted entries in our events section.)

Ultimately Metacurity will become much more efficient at picking out what’s important based on data analysis. As Metacurity evolves, we’ll add more and different types of information. I want feedback on how to make the site better and more informative. Please contact us and share your thoughts. Happy reading!

And yeah…I’m finally getting around to the redesign of this blog. Stay tuned.

Last week, the National Institute of Standards and Technology (NIST) held in Tampa, FL its sixth workshop on the landmark critical infrastructure cybersecurity framework mandated by President Obama in February 2013 and issued by NIST in February 2014. As was true of the five previous workshops NIST held prior to the framework's release, hundreds of cybersecurity specialists gathered for two days to listen to government and industry experts and to hash out the framework's details across multiple, specialized working sessions.

While the event covered a lot of ground, tackling a range of technical and detailed topics from relatively specialized matters such as authentication issues in industrial control security to broader overviews of how various sectors are dealing with the framework, a few themes emerged from the sessions and conversations with the attendees. Here are the top four take-aways from the latest workshop:

1. Everyone Likes the Framework: Almost everyone said the framework is a good thing, although, as noted below, there are some issues that specialists still have with the framework's ongoing development. Not surprisingly, representatives from industry, UK and EU governments invited to speak on the plenary session panels offered almost uniformly positive views of the framework. "We began using the framework essentially the day it came out," Tim Casey, a senior information risk analyst at Intel said. "It gave us purpose and direction that we didn't have previously," Jefferson England, an executive at small telco Silverstar Communications, said.

Conversations with attendees yielded more of the same. "This is a good force multiplier. It's a common unified framework for managing security risks," Robert Brown, Manager of Assurance at PWC, said. "People have seemed to really embrace it," according to Phil Agcaoili, VP and Chief CISO at Evalon. "There are all sorts of ways this could have gone wrong and it didn't," Chris Blask, ‎Chair at Industrial Control System Information Sharing and Analysis Center (ICS-ISAC), said.

Much of the good vibes flowed from the sense of collegial community that has cropped up over the course of the multiple workshops among the many hundreds of cybersecurity specialists. (Frequent jokes were made about the T-shirts given to people who had attended every workshop). The framework process has really "put trust across the sectors," Jack Whitsitt, Senior Analyst of cybersecurity consortium EnergySec, said, highlighting the fact that cyber specialists in different industries now share information outside their sectors because of the relationships forged during the NIST framework process.

2. The Framework's Primary Value To Date Seems to Be as a Communications Tool: The jury's out in terms of whether the framework has actually achieved its intended goal of reducing cybersecurity risks, but it's clear that the subject matter experts who were at the workshop think it's a good device for trying to communicate the arcane subject of cybersecurity to managers, regulators, vendors, partners and other audiences. "One of the largest benefits of the framework is that it provided a framework of discussion, as much as anything else," Silverstar's England said.

"We're using it as an engagement tool for our regulators," Karl Schimmeck of the Securities Industry and Financial Markets Association, said. "We're hoping that it becomes the common language when you're talking to suppliers, vendors, joint ventures," a senior oil and gas industry representative said. "I'm using it to inform my board and executives," Evalon's Agcaoili said.

3. Otherwise the Framework Is Still Kind of Difficult to Use: Despite being built on the notion of simplicity, the NIST framework is a 41-page document that features core sets of activities, multiple tiers and intricate mapping to hundreds of detailed cybersecurity standards developed by a welter of standards-setting bodies. Most of the practitioners in attendance at the workshop said that the framework, despite its communication value, can at times be quite a challenge to use. "These frameworks are alphabet soup," PWC's Brown said.

"The mapping process is nuts," Dorian Cougia, Compliance Scientist at Unified Compliance said. Part of the problem is that the intricate standards that are mapped to the framework can run dozens and even hundreds of pages long and it's not always clear which parts of the standards apply to what. "There were times when we did not exactly understand what the framework meant," one top energy cybersecurity specialist said.

"The content of the framework really doesn't matter," EnergySec's Whitsitt said. "Organizations that don’t know how to do security already will have a hard time with it."

The difficulty in using the framework can be greater for smaller and mid-sized organizations that don't have cybersecurity experts on staff, a topic much discussed during the framework's development. "The big guys do this already," one communications industry representative said. "They wouldn't be in business if they weren't protecting their networks for financial reasons." The smaller guys, however, are struggling to come up to speed with what the framework demands, she noted, because they may have at most only one IT person on staff assigned to implement security measures.

The right way to view the challenge of using the framework isn't big versus small, according to Adam Sedgewick, who spearheads the project for NIST, clarifying that it's more about how serious the company is about cybersecurity, regardless of size. "I think it's a mistake to think that small and medium companies do not have good cybersecurity practice as a rule. I think it's more appropriate to say companies that do not have robust cybersecurity programs" face greater challenges.

4. There Won't Be a Framework 2.0 Any Time Soon: Two mantras emerged from the government and NIST speakers at the workshop. The first is that "it's still early days" for the framework and too soon to gauge its effectiveness. The second, related concept is that no basic changes to the framework are in the offing anytime soon.

"We want to make sure that people understand we don't expect changes to the framework in the future," Ari Schwartz of the National Security Council said. "We are in no rush to make changes without knowing or understanding what effect those changes might have," Matt Scholl, Deputy Division Chief at NIST said.

Cybersecurity is already shaped by endless organizations, government agencies, schemas, frameworks and evolving standards, NIST's Sedgewick said. "We have to be careful when we think about the next phase of this effort to reduce that complexity and not increase it."

That view was embraced by most of the workshop attendees. However, some of the industry specialists who are implementing the framework think changes are needed sooner rather than later. "It is useful but it still needs more work," one big electric utility representative said. "If something is missing, they don't know something is missing. They should not wait too long to update the core."

(Washington, DC) In the face of cybersecurity threats that seem to breed like bacteria, a conceptual fix is to speed up cybersecurity development to outpace the rapid-fire evolution in technology, the head of the Defense Advanced Research Projects Agency (DARPA) said today. Speaking at a cybersecurity summit hosted by the Washington Post, Arati Prabhakar, Director of DARPA, said "we are trying to wrangle this problem while the information revolution is exploding. The moonshot for cybersecurity in my view is to find techniques that scale faster than this revolution."

One key problem is that the Internet was developed--under DARPA's auspices-- at a time when the current kinds of security threats were unimaginable. If DARPA had a clean slate to rebuild the Internet to make it more secure, one concept would be to apply a biological model to network security, she said. "Under the hood there is a lot of diversity among individuals [s]o one attack cannot wipe out the human race," drawing parallels between the efforts DARPA spearheads to help the public health community outpace infectious diseases and its simultaneous efforts to develop automated cyberdefense systems.

The scariest cybersecurity threat is a potential take-down of the power grid. But that's an unlikely prospect for the typical IT hacker, Andy Bochman, Senior Cyber and Energy Security Strategist at Idaho National Laboratory, said. "The communication protocols and the types of processors and the amount of memory is often wholly different" for the energy sector's industrial control systems. "For the standard hacker, it would be a strange place."

Still, to the extent that power companies are putting into place new technology, there is a "tremendous opportunity" to minimize risk. "The more that electric utilities and stakeholders include security requirements into their RFPs, [t]hat gives signals to the manufacturers that what wasn't important before is suddenly something they should pay attention to," Bochman said.

It's unlikely that Congress will step in with its own solution during the upcoming lame duck session, Rep. Mike Rogers (R-MI), retiring Chairman of the House Intelligence Committee, indicated. "We have a very small window to get this done [pass a cybersecurity bill]," he said. "The political challenges in the Senate make the odds pretty high," with Rogers blaming the failure to pass a bill on "political tantrums."

Only 15% of networks are owned by the U.S. government and thus benefit from the cybersecurity protection of the military and various federal agencies. "By doing nothing in Congress, we are telling these 85% of private networks 'you are on your own,'" mainly due to the difficulties in sharing information between public and private groups, a knowledge gap that most cybersecurity bills aimed to minimize.

Meanwhile, the federal government is doing what it can to help raise the level of cybersecurity practices around the globe. Federal agencies are increasingly coming together to work with other nations in securing the necessary infrastructure against the "less deterrable" threat actors, such as Iran and Korea as well as terrorist organizations. "The good thing is that more and more countries are taking this seriously," Christopher Painter, Coordinator, Cyber Issues at the State Department, said.

Around 60 countries are looking to build cyber command operations, Eric Rosenbach, Assistant Secretary of Defense for Homeland Defense and Global Security for the Defense Department, said. The U.S. government is helping some of those countries, particularly in Europe and Asia, build that capacity. "There are a small group of countries that we are advising. [W]e only do it with our very closest partners, mostly because we want to make sure it's being done right."

Six months after its release, the cybersecurity framework issued by the National Institute of Standards and Technology (NIST) received mixed reviews from a group of cybersecurity specialists who've now had time to give the landmark system a closer look. Speaking at a webinar hosted yesterday by both the Industrial Control System Information Sharing and Analysis Center (ISC ISAC) and my own firm DCT Associates, the early assessment of the framework ranged from "pleased" to "failed," with a general sense that the framework doesn't replace the hard work of implementing adequate cybersecurity controls.

"I'm relatively pleased," Chris Blask, Chair of the ICS ISAC said. "What we want to achieve from all these sorts of things, rather than force people to comply with specific activities, is encourage all the relevant players to take steps that result in a more secure infrastructure."

"From an operator perspective, a document like this [the framework itself] is quite intimidating," Kevin Morley, Security and Preparedness Program Manager, American Water Works Association (AWWA), said. "This is a little bit abstract and we felt we needed a different approach," which is why the AWWA developed it's own security guidance for the water sector. Nevertheless, AWWA mapped its separate guidance to the NIST framework and found that the two are 100% aligned, Morley said.

"You can look at the NIST CSF as a success and you could say it’s not a bad outcome. I believe you could only say that if you have very low expectations," Perry Pederson, Co-Founder and Managing Principal at The Langner Group said. "Compliance with the NIST CSF only requires adopting the terminology. If you speak in those terms and talk in those terms you can be compliant with the framework without changing anything you have to do. It’s really a business-friendly framework because it allows the business to decide based on its needs and resources to simply cherry pick what it wants."

Japp Schekkerman, Director of Global Cyber Security at CGI Group, agreed with Pederson. The framework is "addressing all kinds of questions [b]ut it doesn’t tell you how to do it," he said. "If you’re not familiar with the standards [referenced in the framework], you don’t know what to do."

The framework wasn't intended to provide a technical blueprint telling cybersecurity specialists what to do, Greg Witte, Program Manager, Security Standards Team, G2, countered. "It really is about communication and awareness," he said. "We should not be directing people and making it mandatory."

"The framework is a way to have a discussion about managing risk," Adam Sedgewick, who spearheads the framework initiative for NIST, said during an interview earlier in the week. Still, NIST welcomes criticism and hopes to solicit a wide range of opinions on the framework's effectiveness through a request for information issued today in preparation for a framework workshop NIST will host in October. "We really do want a healthy debate, we welcome criticism."